incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <>
Subject Re: Possible validation security issue
Date Wed, 29 Aug 2012 18:43:35 GMT
Firstly, security issues (even suspected ones) should not be posted to a public mailing list

Secondly, you ask "Shouldn't couchdb prevent the author field from being updated?"

The answer, of course is, "Yes, if a validate_doc_update function prevents it". Yours doesn't
but should.


On 29 Aug 2012, at 19:28, Wordit wrote:

> I may have stumbled upon a security issue in validation functions.
> Maybe somebody else can try to confirm this. I've been using the
> validation function mentioned several times in the user guide:
> function (newDoc, oldDoc, userCtx) {
>  if ( {
>    if( != {
>      throw({"forbidden": "You may only update documents with author " +
>    }
>  }
> }
> A user who is *not* will be prevented from updating the
> document when editing. So far so good. However, to get around security
> and edit the document, a user who is not author, only has to change
> the author field to their name. Voila, they can now edit all other
> fields. Works in Futon in two steps, from Curl in one step.
> I've been testing this on, so it's the currently hosted
> version I'm referring to. I first noticed using curl. Something like
> this:
> db has two fields.
> author: usera
> text: my wonderful text
> The goal is to change field "text" as another user, e.g. "userb".
> userb just has to update the author field from usera to userb:
> curl -X PUT -d
> '{"_rev":"3-456","author":"userb"}' -H "Content-type:
> application/json"
> couch returns new _rev:4-567
> Now the document belongs to userb, the text field can be updated.
> curl -X PUT -d
> '{"_rev":"4-567","author":"userb", "text":"gottcha"}' -H
> "Content-type: application/json"
> Actually, it worked in one go for me to just overwrite the author
> field and change other fields. It didn't require two steps in Curl.
> Shouldn't couchdb prevent the author field from being updated? It
> seems this only works with the name of the currently authenticated
> user. You cannot enter just anything into the author field.
> Can anyone confirm, and if this is correct, how can the document be secured?
> Thanks,
> Marcus

View raw message